No Shelter From a Cybercrime Storm
Anonymous hackers let fly with the information they pilfered from Stratfor, dumping on the Web for all to see Friday. Hundreds of thousands of usernames, email addresses and hashed passwords were included. SpecialForces.com, a site that sells military clothing and personal gear, also found itself in hackers' crosshairs.
01/03/12 5:00 AM PT
The Anonymous hacker collective has run riot this holiday season, and security experts predict more pain from cybercriminals at large for the coming year.
As a follow-up to its breach of private think tank Stratfor's systems last week, the hacker collective, or its stepchild Antisec, dumped all the information stolen from the Stratfor break-in on the Web on Friday.
This includes 75,000 names, addresses, and MD5 hashed passwords of all Stratfor's paying customers, as well as about 860,000 usernames, email addresses and hashed passwords for everyone who's ever registered on Stratfor's site. It's not clear whether there's any overlap between the two categories.
MD5, the Message-Digest Algorithm, is a widely used cryptographic hash function used in various security applications and to check data integrity that's been declared unsuitable for further use by the United States Computer Emergency Readiness Team (US-CERT) because of its vulnerabilities.
Stratfor has taken its website offline and is using technology from CSID to provide 12 months of free identity protection services to victims of the hack into its systems, CSID told TechNewsWorld.
The company's clients include various government agencies and businesses in the United States and abroad. Among them are the United States Army, the U.S. Department of Homeland Security, Google, Apple, Microsoft, Air New Zealand and four Australian banks.
Anonymous also reportedly turned its guns on people who spoke up in support of that Stratfor.
Blitzkrieg on SpecialForces.com
Anonymous apparently hacked the SpecialForces.com website back in August, although it's only making this public recently.
The collective claims it has had about 14,000 passwords and information from 8,000 credit cards from the website's members. It stole the keys to crack encrypted data on SpecialForces.com's servers.
Special Forces Gear, which owns the website, reportedly said the passwords stolen are more than a year old and most of the credit card numbers have expired.
The company has reportedly rebuilt its website and implemented new security measures.
Taking Care of Business
Perhaps Stratfor and SpecialForces.com should have taken more stringent security measures from the outset.
It is indeed possible to stop even determined hackers, suggested Andrew Brandt, director of threat research at Solera Networks Research.
"It just takes a guard or team of guards, equipped with the right tools to get the job done, and an equal or greater degree of determination, to stop them," he told TechNewsWorld.
Hash Table Vulnerability's a Global Website Threat
The vulnerability was believed to only affect hash tables in Perl and CRuby when first discovered in 2003, but nruns has found that it also affects other mainstream Web dev platforms such as Java, ASP.NET, PHP 5 and Google's v8.
Ruby and Perl are rapid prototyping languages, while Java "is the technology of choice for massive enterprise-grade systems like [those used in] online banking," Jeff Schmidt, CEO of JAS Global Advisors, told TechNewsWorld.
"Monitor and keep up to date on vendor patches," Schmidt advised.
Microsoft issued Security Bulletin MS 11-100 on Thursday to patch the vulnerability in ASP.NET. The patch will be automatically updated and installed on systems that have the automatic updating feature turned on.
"While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible," Dave Forstrom, director of Microsoft Trustworthy Computing, told TechNewsWorld.
PHP has also published a patch for this vulnerability, Qualys Chief Technology Officer Wolfgang Kandek said.
New Cybersecurity Efforts Coming
January will mark the launch of the National Critical Infrastructure Cybersecurity Education Initiative. This aims to develop cybersecurity education programs jointly between the private and public sectors. It also calls for the completion of critical infrastructure frameworks by 2012.
The initiative is being led by the Global Institute for Cybersecurity + Research (GICSR).
The Federal government "needs to incorporate secure configurations and system configuration baselining as a core part of any recommendations for improving security," Dwayne Melancon, chief technology officer at Tripwire, told TechNewsWorld.
"Regardless of the industry -- the Federal government or the commercial sector -- I see a lot of enterprises [that] have documented processes and standards which aren't being followed effectively," Melancon said.